MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19823c1371c931da3d4afa4d8db40a2313078d7cc0175c2b2b42f3d2aa97bdac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19823c1371c931da3d4afa4d8db40a2313078d7cc0175c2b2b42f3d2aa97bdac
SHA3-384 hash: 2e1956c4c33740aa579d941772761396d15bb92f31f065a2f896a87b91cc0f5315858a3f6dea3bbda1f24963a9b7e069
SHA1 hash: 08876a91adbd00d1ac9ef261b2f7baf63df8bdb0
MD5 hash: c9d3440ee4d5ecab25cd71056ec72023
humanhash: uniform-spaghetti-finch-indigo
File name:OC-8563 PURCHASE ORDER.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:290'816 bytes
First seen:2025-04-02 04:14:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:te2vr7riDFG1kaMAdJGuRzJDOo000I5NURMYHJt29nPr3QcaE:DvHGDoztdDT0zI5NSFqPT1
TLSH T1C5542310E6227C0FC92DBC7006C70EC5BAC2AEFB5E5616A1EA55F0C7ECB51B9650784B
TrID 35.7% (.EXE) Win32 Executable (generic) (4504/4/1)
16.3% (.ICL) Windows Icons Library (generic) (2059/9)
16.1% (.EXE) OS/2 Executable (generic) (2029/13)
15.8% (.EXE) Generic Win/DOS Executable (2002/3)
15.8% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
485
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
OC-8563 PURCHASE ORDER.exe
Verdict:
No threats detected
Analysis date:
2025-04-02 04:16:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2b34efb4-0995-4e60-ab90-197ac9091f5b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/33/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.4247.18326.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ecbc05855e5ec5240c0132
Tags:
injection overt virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade microsoft_visual_cc overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/67ecb9d5f274bf2d8e2d958b/reports/8a41ca11-4399-47e9-a3f4-97f8b404d4bc/overview
Verdict:
Malicious
Labled as:
Mikey.Generic
Link:
https://www.hybrid-analysis.com/sample/19823c1371c931da3d4afa4d8db40a2313078d7cc0175c2b2b42f3d2aa97bdac
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5ebc56e3-0903-4ae6-947b-40ffd3392df3
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1654232
Signature
Antivirus / Scanner detection for submitted sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654232 Sample: OC-8563 PURCHASE ORDER.exe Startdate: 02/04/2025 Architecture: WINDOWS Score: 100 24 www.pembawa.xyz 2->24 26 www.truenorthcards.org 2->26 28 3 other IPs or domains 2->28 36 Suricata IDS alerts for network traffic 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 44 3 other signatures 2->44 9 OC-8563 PURCHASE ORDER.exe 2->9         started        signatures3 42 Performs DNS queries to domains with low reputation 24->42 process4 signatures5 48 Maps a DLL or memory area into another process 9->48 12 eOL1QvJCahkvGRkphhVDdJ.exe 9->12 injected process6 signatures7 50 Found direct / indirect Syscall (likely to bypass EDR) 12->50 15 sdiagnhost.exe 13 12->15         started        process8 signatures9 52 Tries to steal Mail credentials (via file / registry access) 15->52 54 Tries to harvest and steal browser information (history, passwords, etc) 15->54 56 Modifies the context of a thread in another process (thread injection) 15->56 58 3 other signatures 15->58 18 eOL1QvJCahkvGRkphhVDdJ.exe 15->18 injected 22 firefox.exe 15->22         started        process10 dnsIp11 30 www.truenorthcards.org 74.208.236.36, 49701, 80 ONEANDONE-ASBrauerstrasse48DE United States 18->30 32 www.dramavietsub.net 109.123.230.180, 80 CASABLANCA-ASInternetCollocationProviderCZ Czech Republic 18->32 34 2 other IPs or domains 18->34 46 Found direct / indirect Syscall (likely to bypass EDR) 18->46 signatures12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/19823c1371c931da3d4afa4d8db40a2313078d7cc0175c2b2b42f3d2aa97bdac
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/19823c1371c931da3d4afa4d8db40a2313078d7cc0175c2b2b42f3d2aa97bdac/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-04-02 04:15:23 UTC
File Type:
PE (Exe)
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dgbdye3rzey5upkk7jgy3nakemjqpdl4yalvykzlilz5fkuxxwwa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250402-evegys1vd1/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/501ab60b-8b69-4e52-a84c-99c86f1a1dd3
Unpacked files
SH256 hash:
19823c1371c931da3d4afa4d8db40a2313078d7cc0175c2b2b42f3d2aa97bdac
MD5 hash:
c9d3440ee4d5ecab25cd71056ec72023
SHA1 hash:
08876a91adbd00d1ac9ef261b2f7baf63df8bdb0
Link:
https://www.unpac.me/results/707e360f-0cf2-4484-98ef-ac5db17a1b5d/
SH256 hash:
ea33a7bd36e13fed89303d9f696f912ab8eee2fdbc05b6f9823a076bd6eba6f6
MD5 hash:
66e02d25a4040934077c828d4ce5c3d7
SHA1 hash:
c287135223665beedc13de5760f126db3f37d356
Link:
https://www.unpac.me/results/707e360f-0cf2-4484-98ef-ac5db17a1b5d/
SH256 hash:
05e9f2ac24c684327ee07600762519ef70144cbfb1175580a0fb026fc2b88da3
MD5 hash:
593a037852a346c387bfd9ed378c1973
SHA1 hash:
e3a3e3ea1a9159d14edf3b0ac24199747976937b
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/707e360f-0cf2-4484-98ef-ac5db17a1b5d/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/19823c1371c9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.94
Link:
https://yomi.yoroi.company/submissions/19823c1371c931da3d4afa4d8db40a2313078d7cc0175c2b2b42f3d2aa97bdac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 19823c1371c931da3d4afa4d8db40a2313078d7cc0175c2b2b42f3d2aa97bdac

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/33/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments